Another try at pipeline rules

so, I think I must be doing something wrong (as usual), and I can’t find anything (Google, docs.graylgo, anywhere) about what I could be doing wrong.

I’m trying a simple rule: if there are two fields, I want to concatenate them as “field1 (field2)”, like this…

rule "test"
when
    has_field("event_localhost_ip") AND has_field("event_source")
then
    let part_a = concat(to_string($message.event_source),to_string(" ("));
    let part_b = concat(to_string($message.event_localhost_ip),to_string(")"));
    let event_source_ip = concat(part_a,part_b);
    set_field("event_source_ip");
    set_field("event_pipeline", true);
end

“event_pipline” is there for debug’s - and it shows up. But “event_source_ip” doesn’t.

You’re missing the second parameter of the set_field() function.

It should read:

set_field("event_source_ip", event_source_ip);

it works =D I thought if nothing was informed, it would read/use the variable itself. Thanks @jochen <3

I’ve created a bug report for this at GitHub:
https://github.com/Graylog2/graylog-plugin-pipeline-processor/issues/200

Unfortunately fixing this will be a breaking change and many scripts will break because of it, so don’t count on a resolution anytime soon.

yeah, I thought as much.(about being a breaking change). No worries, I do think this should be a future improvement, like a major version change, though.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.